The best thing one can do is not use cookies -> no need for a consent banner.
If that's not an option, the next best thing is to have an overlay that is as honest as possible and most importantly provides not only an "Accept all", but also a "Reject all" button.
Don't use dark patterns, basically. That is, use the same color, style and size for each of those buttons.
My experience is that most users are so used to these overlays by now, they just look for the button which gets rid of them most quickly. Marketing will typically push to tinker with the appearance of the buttons to increase the conversion rate in favor of the "Accept all" option.
The question always is whether there's a negative consequence outweighing the "positive" incentive of trying to increase favorable consent decisions by using dark patterns.
I had the pleasure to learn a lot about this while working in the higher levels of some german company with a somewhat questionable track record.
Here's what you can do (only applies to Germany, but might be similar elsewhere):
Complain to the data protection authority of your local state in writing. These complaints will be followed up by the authority and if enough of them accumulate, the company will have a bad time and the aforementioned incentive equation will be bent towards the end that favors user privacy.
Don't write angry emails. Nobody cares and you waste time.
Pretty clearly so. It seems weird to me that so many companies put up a cookie banner in order to avoid breaking the law, and then break the law in order to make it less effective. I suppose the win here is that if the (fairly toothless) regulators notice you can say "oh we thought this was enough" and then tweak it. But in that case why not just have no banner at all, and wait until they notice in the first place?
Just as daft as the extra-US sites that choose to show no content to EU geolocated origins instead of complying with the law. Which is... also illegal under the letter of the law, so why not just ignore the law. Presumably you're probably out of the jurisdiction anyway if you're bothering to do this.
> Just as daft as the extra-US sites that choose to show no content to EU geolocated origins instead of complying with the law. Which is... also illegal under the letter of the law
Since when? The GDPR explicitly only applies if you offer your shit to EU subjects or monitor EU subject behavior while they're in the EU. By actively rejecting those potential customers and not tracking them (because you refuse to provide them the product), does that not suffice to not have to worry about the rest of the terms?
I know there are a few cases regarding linking to news articles and how the company in question can't stop providing that service, but in all such cases I'm aware of the offending company had other ties to the EU whereby the GDPR might have been enforceable.
Actually not true, the regulation (eprivacy directive /pecr in uk) applies to all trackers including cookies, pixels, scripts,etc. if you can do with only “strictly necessary” across those then youre right.
Also consider visitors are used to these prompts, without one they may wonder: does this site follow the law?
Except this is not the question. Why is it so hard for people to understand cookies are absolutely needed even if you just want to calculate retention or number of unique visitors.
I'd like to point out that I answered the question even if not using cookies is not an option.
But to elaborate a bit: At least in Germany (and I believe this applies more or less everywhere) if you install a 1st-party tracking method based on 1st-party cookies, that doesn't fall under the 3rd-party consent requirement and you don't need consent. That means you can track your valuable retention numbers and won't need a consent banner. It's a common misunderstanding that you need that consent for all cookies. You only need it for cookies that aren't required to do your business. And 3rd-party cookies aren't.
It's just that marketing typically don't want to spend any money on this, because these retention numbers turn out to not be enough value to justify the investment. I wonder if they are as valuable as you described at all.
Edit: I should have said 1st-party tracking that doesn't collect personally identifiable information (PII).
This is completely false. You need permission for any data you store on a user device or retrieve from a user device if that is not strictly needed for the execution of the service the user requested. Nowhere in the law is the word "cookie" even used, so your suggestion that "1st party cookie" is different from "3rd party cookie" is wrong. And similarly, this whole thing also applies to all alternative tracking methods, so you cannot avoid it by using localStorage for example.
A 1st party tracking solution is in no way considered needed to deliver the service the user requested. Only things like remembering my shopping basked are necessary to deliver the services of a webshop. And you cannot use that cookie for other purposes (like counting visitors).
This is what is false. You can use first party tracking using cookies, local storage, indexdb, whatever you like without consent as long as it is not tied to any PII and it is essential for _operating_ your service. Diagnostics, page views, flows through the app, even with a unique identifier for that session is fine and 100% acceptable for both GDPR and CCPA unless its shared with third-parties or tied directly to PII.
The easiest thing to do here, is to simply not associate those sessions with a particular user. Even if your user accounts are tied to specific PII for essential purposes of your app. As long as the tracking data is not connected to that identifier, does not log any PII data on it own, and is not shared with third parties you do not need consent.
One quick edit: Be careful with collecting errors, its easy for backtraces to include application specific data including any PII you might have which will tie that session back to a specific user and becomes a violation.
The language in the UK version of the law is "strictly necessary for the provision of an information society service requested by the subscriber or user", which the ICO interprets as meaning "it must be essential to fulfil their request". I don't think tracking page views counts, because it's technically possible to serve a page without using a cookie to track that it was viewed.
You're forgetting about the ePrivacy directive (or "cookielaw"). That has nothing to do with whether the information is identifying or not, you need permission for everything that isn't strictly necessary to deliver the service the user requested.
Analytics is not strictly necessary to deliver the service.
Thank you. I have done so many implementations of GDPR. The cookie consent pop-ups everywhere are only needed because of how aggressive these third parties collect information (and that they _are_ third parties).
Just don't collect PII beyond was is absolutely essential for your application, and don't share it with third parties. Bam you don't have to get consent. Knowing what classifies as PII is still a hard problem because its full of so many conditionals. Email is not PII unless you have some part of their name for example and it counts if your company receives an email from that person that includes their name in the From field.
All the cookie banners out there are designed to make people weary of them into just accepting the previous practices. It's malicious compliance.
If you're doing 1st-party tracking, and you are collecting personal data for that purpose (which is almost by definition going to be true), and the user hasn't explicitly asked for that tracking to take place (for instance by creating an account and logging in, or by putting items in a shopping basket and expecting them to be retained) then yes you will need to ask for consent to do that tracking.
The test isn't whether collecting that data is required to do your business - it is whether collecting that data is required to do what the user is asking you to do. So if (for example) you are tracking your users to see where they click in your web site in order to improve your web site, then that is only required for your business - your user has no interest in that, didn't ask for it, and therefore must be asked for consent for you to do it.
I was referring to the grey area of legitimate interest in the law and how I was briefed to interpret it ca. 2021. Things may have moved on and I am not a lawyer. You might be right and what the lawyers told me back then isn't true or was true and is no longer considered true.
What I was basically saying is that 1st-party cookies are considered more likely to reflect a legitimate interest than 3rd-party cookies. And I think that is what the interpretation of the law was (or maybe still is).
You can do 1st-party tracking without collecting personally identifiable information if it's just about retention without a user ID, which I was referring to. And I in fact think that there is a case to be made that this could be part of the legitimate interests of improving the user experience on a web property of a given business, hence not requiring consent.
I'll certainly agree that this is an area where different opinions abound, and also you are much less likely to be prosecuted for this, so it's likely that advice would be that it's probably alright and you'll get away with it. But a strict interpretation of the law says that you can't use information gathered for a purpose for which the user didn't consent (or deliberately ask for, etc), even if you have it lying around because you collected it for a separate reason that is valid.
Regarding arguing that improving the user experience is a legitimate interest - I'm not aware of that having been argued and decided in court, but my opinion is that it is a hopeful misinterpretation of the law, and a slippery slope towards quite egregious data collection.
Yes, you can collect web site metrics without identifying information, for instance how many times are the different links on a particular page clicked on, but if you're linking one page request to another by the identity of the browser that is requesting them, then that is crossing the line.
> [...] but if you're linking one page request to another by the identity of the browser that is requesting them, then that is crossing the line.
Just out of curiosity: That would be crossing a line, because it might be potentially possible to reconstruct an identity from the linked navigation pattern?
If so, I guess I would consider that beyond the realm of what any normal internet lawyer would include in their advice.
A cookie used solely for counting anonymous visits without storing individual identifiers generally wouldn't be considered personally identifiable information under GDPR.
At least that's what I was told. Having said that, this is obviously a complicated and nuanced topic with a lot of grey areas. I guess it's a good idea to talk to a lawyer in any case.
> even if you just want to calculate retention or unique visitors.
Why is it so hard to for people to understand that I just want you to serve me the page and bugger off? It's like justifying embedding GPS tracking in pamphlets that people hand out on the street.
There’s 90% chance that no, it’s not your business. There’s also a lot of chances that your website is about a product. In which case, it doesn’t make sense to know how many people come and read. People only need the information to know "will I buy that or not?" or, even more frequently "I’ve bought that but I don’t understand something".
Tracking is counterproductive in most scenarios. (but very few understand that)
Europe's parliament website[1] uses cookie banner, even though its job is literally to just show information. If they want to track visitors any non trivial site would.
Which demonstrates exactly my point: web dev are now incapable of not tracking users even if it’s actually harming their business.
I had an experience with a national meteo application including facebook trackers. I complained and they replied that they were totally unaware of that fact. The tracking was added by default by the contractor as part of his standard template. (note: they removed the tracking after my complain).
But it is also about people in charge, who are completely addicts to statistics about the number of visitors and all information. People like to track others. They actually want that.
The sad part is that nobody in IT really complain nor tell them that it is creepy. We install blockers on our own computers and get over it, writing code that track those without blockers without batting an eye.
> The sad part is that nobody in IT really complain nor tell them that it is creepy.
Which may be because if you do, you will typically be called the "technical person" who "doesn't understand anything about 'normal' users" and you should be more focused on your actual technical tasks.
You don't need cookies for it, but it very much makes a difference how many people come and read. Optimising the visitor-to-buyer pipeline is an important job for retail. To even begin doing that, you need to know what percentage of visitors bought something.
Your opinion is comprehensible from a user's standpoint.
Once you have worked a while in business or marketing, you will see that it's not that easy unfortunately.
There's a lot of pressure to provide certain numbers or at least to collect them "just to be sure". Typically this requirement comes without any willingness to invest money, because "you can just install Google Analytics for free".
I don't want to justify this at all, because I believe in the long run these numbers aren't worth what people claim they are worth at all. I just wanted to explain that not everyone is "bad" or "anti-social" for complying with "leadership" decisions and installing a CMP and Google Analytics.
> Once you have worked a while in business or marketing, you will see that it's not that easy unfortunately
Nobody is forcing anybody to do this, this is a personal and business decision to make more money at the expense of users' well-being. When you're surrounded by lots of people that think a certain way, you start to see it as acceptable and even good.
Though I know lots of people that disagree, I personally don't think it's justifiable. If someone finds it justifiable, they should take responsibility for it.
My experience is that the source of all this is the fear of having a substantial disadvantage against the competition and having to defend your decision of sustaining such a perceived disadvantage against the CEO/board. Understandable from my point of view, even though I don't like the outcome. This then usually trickles down the hierarchy in companies and, yes, someone will somehow implement it to earn their living. I'd define the implication of losing your livelihood as a consequence of not doing what you are told as force, but that is open to opinion I guess.
An anecdote that might be worth mentioning in this context:
I was once told by some CEO that they didn't hire a really qualified person, because that person had enough money to not be dependent on the job. This is, in my experience, an appropriate reflection of the role of money in controlling people's decisions. It's essential that you are dependent so that you can be forced to comply or risk losing your livelihood.
You won't get precise numbers anyway - if you're large enough, adblock will kill even your first-party analytics. On the other hand, people with multiple devices will be undercounted. At that point, you may as well start counting access per IP and adjust for the known cgnat endpoints.
If you want to track me to calculate retention, you need my concent. Easy as that. You can't promise me you're only using my user ID for that single purpose. We've been taught through experience that if someone has data, it will be used.
If that's not an option, the next best thing is to have an overlay that is as honest as possible and most importantly provides not only an "Accept all", but also a "Reject all" button.
Don't use dark patterns, basically. That is, use the same color, style and size for each of those buttons.
My experience is that most users are so used to these overlays by now, they just look for the button which gets rid of them most quickly. Marketing will typically push to tinker with the appearance of the buttons to increase the conversion rate in favor of the "Accept all" option.